Freecad, TCP download without permissions

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
freedman
Veteran
Posts: 3361
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Freecad, TCP download without permissions

Post by freedman »

Hi, first post so....thanks to all the programmers. I need money so I can't help.
Been using freecad for a few months, 0.17 is really something, the datum stuff really helped me.

Here is my issue, maybe this post will get erased, maybe not. This software is freeware so I have been monitoring TCP and nothing going on until now. I clicked on the "Robot" workbench and TCP fired up and started downloading something, I don't know what because I stopped the wireless connection and rebooted.

Security is everything to me, in my opinion any program that downloads something without asking is just a virus waiting to happen especially a program that has multiple submitters. I'm running your app and you allow it to download and do what?

CB1
wmayer
Founder
Posts: 20113
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: Freecad, TCP download without permissions

Post by wmayer »

I clicked on the "Robot" workbench and TCP fired up and started downloading something
AFAICS it doesn't download anything when switching to Robot workbench. However, when switching to the StartPage I can observe that it establishes a connection to github.

@yorik, when I start with a clean user.cfg and open the StartWorkbench then ProcessExplorer (it's a kind of advanced task manager on Windows) tells me that FreeCAD establishes a connection to github and this happens even with the privacy stuff you implemented recently. Can you confirm this?
wmayer
Founder
Posts: 20113
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: Freecad, TCP download without permissions

Post by wmayer »

When activating the Start page then JavaScript invokes this function

Code: Select all


function load() {
    // load latest news
    ddiv = document.getElementById("news");
    ddiv.innerHTML = "Connecting...";
    var tobj=new JSONscriptRequest('https://api.github.com/repos/FreeCAD/FreeCAD/commits?callback=showTweets');
    tobj.buildScriptTag(); // Build the script tag
    tobj.addScriptTag(); // Execute (add) the script tag
    ddiv.innerHTML = "Downloading latest news...";

    // load version
    var script = document.createElement('script');
    script.src = 'http://www.freecadweb.org/version.php?callback=checkVersion';
    document.body.appendChild(script);
}
freedman
Veteran
Posts: 3361
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: Freecad, TCP download without permissions

Post by freedman »

I Just tried the "Startup" workbench and when it starts I see a connection made to "github" and "wired-net.de". "Whois" on "wired-net.de" that doesn't look so good to me.

I should add that I went into the "Robot" workbench and clicked on "Example", at that point the program fired up TCP and started a download. I presume it was downloading an example for the robot workbench. That's where I have issue.

For the security minded, I don't see any TCP on program startup in "part design, sketch, part" or any other workbench except for the "startup workbench" and I'm thinking don't download any examples from the program.

I'm not pointing fingers at the programming group here, I trust 99% of all programmers.

Thank you
CB1
freedman
Veteran
Posts: 3361
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: Freecad, TCP download without permissions

Post by freedman »

I use this to monitor connections: "C:\Windows\System32\perfmon.exe /res" on a Win7 machine.
wmayer
Founder
Posts: 20113
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: Freecad, TCP download without permissions

Post by wmayer »

"Whois" on "wired-net.de" that doesn't look so good to me.
wired-net.de is the web hosting company of freecad.org

As said here https://forum.freecadweb.org/posting.ph ... 7#pr222615 the JavaScript function gets a list of recent commits from github and also runs a php script to get a version number (I don't know for which purpose exactly).

But I agree that this should not happen without user permission.
wmayer
Founder
Posts: 20113
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: Freecad, TCP download without permissions

Post by wmayer »

I should add that I went into the "Robot" workbench and clicked on "Example", at that point the program fired up TCP and started a download. I presume it was downloading an example for the robot workbench. That's where I have issue.
This runs this Python script which only opens a local file. I can't see how this should open a TCP connection.
freedman
Veteran
Posts: 3361
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: Freecad, TCP download without permissions

Post by freedman »

Thanks,
I suppose at some point I'll need to modify the source and remove all the connection stuff. That's open source, you can have it any way you like and compile it. I wish I could do more to help this effort, I really like the process of 3D drawing, 3D print, done. From thought to a part in my hand in 1/2 hour.

I'll post a list of communications code changes if I go down the road of code mods. Hope that helps....

CB1
freedman
Veteran
Posts: 3361
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: Freecad, TCP download without permissions

Post by freedman »

What would I do to ask for the addition of an option menu item? The option could set a flag used in low level code that disables TCP/IP or any external comm. protocol? If written into the lower levels, upper level calls could be attempted by anyone but would would get trapped. Obviously a future feature.
Thanks
CB1
wmayer
Founder
Posts: 20113
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: Freecad, TCP download without permissions

Post by wmayer »

The option could set a flag used in low level code that disables TCP/IP or any external comm. protocol?
On a low level base this is not possible because the communication is implemented in a 3rd party library -- in this case it's done inside the Qt Webkit module where we have no direct access to internals.
What should be checked if the used class QWebPage or QWebView offers an option not to fetch any remote content or if the relevant methods can be re-implemented in a sub-class.

If there is no such way then the StartPage must be changed not to automatically download remote content. Recently this git commit 2c2d781aa68 was added which attempts to fix this issue but to me it looks like it still downloads information from github but just doesn't show it. When pressing the "Enable download" link it shows the previously downloaded content.
Post Reply